From 22c92df61b549687112eae1bbf0cb2e80ace1428 Mon Sep 17 00:00:00 2001 From: maekuss <220930830+maekuss@users.noreply.github.com> Date: Tue, 23 Jun 2026 05:35:23 +0000 Subject: [PATCH 1/7] docs: add changelog entry for June 23, 2026 --- changelog.mdx | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/changelog.mdx b/changelog.mdx index 4f620bf..a9547f8 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -4,7 +4,45 @@ description: "New features, improvements, and fixes to the Hacktron platform." rss: true --- -{/* CHANGELOG:INSERT last-prod-sha=4b314a3536105727eddda2a900d822e02633438f - the changelog workflow inserts new blocks directly below this line. Do not remove this marker. */} +{/* CHANGELOG:INSERT last-prod-sha=fbbbf5cf881c716c00a469e53524fdbbecbb46fd - the changelog workflow inserts new blocks directly below this line. Do not remove this marker. */} + + + ## Vulnerability details stay private on public repos + + **Redacted findings on public PRs**: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected. + + **PR/MR check updates when you triage**: Dismissing a finding as false positive or accepted risk now re-evaluates your fail-on-severity gate and flips a failed GitHub check or GitLab commit status back to success, without waiting for a new scan. It also flips back to failing if you reopen a blocking finding. + + **Org-level fail-on severity default**: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set. + + **Enterprise SSO sign-in**: A dedicated single sign-on page and a "Single sign-on (SSO)" button on the login screen let users authenticate via your organization's SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work. + + **Mark a finding as a duplicate**: You can now mark a finding as a duplicate of another finding in the same repository. Duplicate findings are judged by the canonical finding's severity when evaluating your fail-on threshold, and the API key endpoint supports the same action. + + **Duplicate marking in the MCP tool**: The `update_finding` MCP tool now accepts a `duplicate_of` field so you can mark or unmark duplicates programmatically. + + **Editable application threat model**: The synthesized threat model for an application is now editable. Your inline changes are wrapped in markers on save and preserved across regenerations, so the next synthesis pass keeps what you wrote. + + **Threat model reading view**: The repository context detail page now renders the threat model inline in a reading layout, with a left file tree for source documents and an "On this page" outline on the right. No more opening a separate panel to read the model. + + **Threat model sync status**: Repositories now show a "Pending" badge while a threat-model sync is running, so you can tell the difference between "not synced" and "sync in progress." + + **Generate vs. Sync label on threat model button**: The per-repo context button now reads "Generate" when no threat model exists yet and "Sync" once one does, matching what the action actually does. + + **PR link in the finding detail view**: The finding slideover now shows a direct link to the pull or merge request the finding came from. + + **Taint trace expands cleanly at end of file**: Clicking "Expand below" at the last line of a file no longer shows a "Couldn't load more lines" error. The button disappears instead. + + **Add-document modal in the scan wizard**: The "Add document" button in the scan wizard's context documents step now opens a modal with drag-and-drop upload and inline document creation, instead of jumping straight to a file picker. + + **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. + + **Scan volume chart**: The scan volume widget on the dashboard is now a stacked bar chart, showing PR review and whitebox scan counts separately per day. Hovering a bar shows the breakdown for that day. + + **Legal agreement before starting a trial**: The trial start and payment method flows now surface your legal agreements before you confirm, so there are no surprises at checkout. + + **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** · **[See Code Review billing →](/code-review/billing)** · **[Start a Whitebox scan →](/white-box-pentest/quickstart)** · **[Read the API reference →](/api-reference/findings/update-finding)** + ## Control your scans and account security like never before From dafb6c6072e3e49ba4d7259b7d2ec31f28ad430f Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 13:40:13 +0800 Subject: [PATCH 2/7] docs: consolidate June 18 entry into changelog, dedupe June 23 Add the June 18, 2026 entry (from PR #25, being closed) as a single section and remove items from the June 23 entry that it already covers: triage check updates, duplicate marking, scan volume chart, and the legal-agreement-before-trial note. Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index a9547f8..e2f07f5 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -11,14 +11,10 @@ rss: true **Redacted findings on public PRs**: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected. - **PR/MR check updates when you triage**: Dismissing a finding as false positive or accepted risk now re-evaluates your fail-on-severity gate and flips a failed GitHub check or GitLab commit status back to success, without waiting for a new scan. It also flips back to failing if you reopen a blocking finding. - **Org-level fail-on severity default**: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set. **Enterprise SSO sign-in**: A dedicated single sign-on page and a "Single sign-on (SSO)" button on the login screen let users authenticate via your organization's SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work. - **Mark a finding as a duplicate**: You can now mark a finding as a duplicate of another finding in the same repository. Duplicate findings are judged by the canonical finding's severity when evaluating your fail-on threshold, and the API key endpoint supports the same action. - **Duplicate marking in the MCP tool**: The `update_finding` MCP tool now accepts a `duplicate_of` field so you can mark or unmark duplicates programmatically. **Editable application threat model**: The synthesized threat model for an application is now editable. Your inline changes are wrapped in markers on save and preserved across regenerations, so the next synthesis pass keeps what you wrote. @@ -37,11 +33,23 @@ rss: true **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. - **Scan volume chart**: The scan volume widget on the dashboard is now a stacked bar chart, showing PR review and whitebox scan counts separately per day. Hovering a bar shows the breakdown for that day. + **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** · **[Start a Whitebox scan →](/white-box-pentest/quickstart)** · **[Read the API reference →](/api-reference/findings/update-finding)** + + + + ## Dismiss a finding and your PR check clears instantly + + **PR and MR checks update on triage**: When you mark a finding as a false positive or accepted risk, the GitHub check or GitLab commit status flips back to passing right away, with no manual re-run needed. If you later reopen the finding, the check fails again to match. + + **Close findings as duplicates**: You can now mark a finding as a duplicate of another finding in the same repository, and unmark it if needed. A duplicated finding inherits its canonical finding's severity when the PR gate counts blocking issues. + + **Scan volume chart**: The dashboard's scan volume widget now shows a stacked bar chart instead of a line graph, with a tooltip on each bar showing the Code Review and Whitebox scan counts for that day. + + **Upload scans named after the archive**: When you start a Whitebox scan from an uploaded archive, the scan now takes the archive's filename as its name instead of a generic label. - **Legal agreement before starting a trial**: The trial start and payment method flows now surface your legal agreements before you confirm, so there are no surprises at checkout. + **Legal agreement before trial or billing**: You now review and accept the terms of service before starting a free trial or adding a payment method. - **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** · **[See Code Review billing →](/code-review/billing)** · **[Start a Whitebox scan →](/white-box-pentest/quickstart)** · **[Read the API reference →](/api-reference/findings/update-finding)** + **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** From 98bcd7eeb2bb92a44b7be0c31b9e20a06da5d0ef Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 13:47:42 +0800 Subject: [PATCH 3/7] docs: reorganize June 23 entry around Context page, applications, threat models Lead the June 23 changelog with the new Context page (Repositories + Applications tabs), announce Applications and application-level threat models, and add the threat-model update note on PRs. Group the context/threat-model items together and keep the remaining changes (redacted findings, org fail-on default, SSO, MCP duplicates, PR link, taint trace) after. Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index e2f07f5..2c7e701 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -7,31 +7,37 @@ rss: true {/* CHANGELOG:INSERT last-prod-sha=fbbbf5cf881c716c00a469e53524fdbbecbb46fd - the changelog workflow inserts new blocks directly below this line. Do not remove this marker. */} - ## Vulnerability details stay private on public repos + ## A new Context page for your repositories, applications, and threat models - **Redacted findings on public PRs**: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected. - - **Org-level fail-on severity default**: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set. + **A new Context page**: A dedicated Context page now gathers what Hacktron knows about your code, split across Repositories and Applications tabs. Cards are sorted by most recent threat-model update and show a badge for each model's status; clicking one opens its threat model. - **Enterprise SSO sign-in**: A dedicated single sign-on page and a "Single sign-on (SSO)" button on the login screen let users authenticate via your organization's SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work. - - **Duplicate marking in the MCP tool**: The `update_finding` MCP tool now accepts a `duplicate_of` field so you can mark or unmark duplicates programmatically. + **Applications**: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it. - **Editable application threat model**: The synthesized threat model for an application is now editable. Your inline changes are wrapped in markers on save and preserved across regenerations, so the next synthesis pass keeps what you wrote. + **Threat models as a reading view**: Repository and application threat models now render inline in a reading layout: a left file tree for the model and its source documents, the model itself in a center reading column with Document and History tabs, and an "On this page" outline on the right. No more opening a separate panel to read the model. - **Threat model reading view**: The repository context detail page now renders the threat model inline in a reading layout, with a left file tree for source documents and an "On this page" outline on the right. No more opening a separate panel to read the model. + **Editable threat models**: Per-repo and application threat models are now editable inline. Your changes are wrapped in markers on save and preserved across regenerations, so the next synthesis pass keeps what you wrote. **Threat model sync status**: Repositories now show a "Pending" badge while a threat-model sync is running, so you can tell the difference between "not synced" and "sync in progress." - **Generate vs. Sync label on threat model button**: The per-repo context button now reads "Generate" when no threat model exists yet and "Sync" once one does, matching what the action actually does. + **Generate vs. Sync label on threat model button**: The threat-model button now reads "Generate" when no model exists yet and "Sync" once one does, matching what the action actually does. - **PR link in the finding detail view**: The finding slideover now shows a direct link to the pull or merge request the finding came from. + **Threat model updates noted on your PRs**: When a refreshed threat model grounds a scan, the findings review comment now opens with a short note explaining why the model changed (its initial build, a manual resync, triage feedback, or an application rebuild), folded into the review instead of posting a separate comment. - **Taint trace expands cleanly at end of file**: Clicking "Expand below" at the last line of a file no longer shows a "Couldn't load more lines" error. The button disappears instead. + **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. **Add-document modal in the scan wizard**: The "Add document" button in the scan wizard's context documents step now opens a modal with drag-and-drop upload and inline document creation, instead of jumping straight to a file picker. - **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. + **Redacted findings on public PRs**: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected. + + **Org-level fail-on severity default**: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set. + + **Enterprise SSO sign-in**: A dedicated single sign-on page and a "Single sign-on (SSO)" button on the login screen let users authenticate via your organization's SAML or OIDC identity provider. Invite tokens survive the IdP round-trip, so onboarding links still work. + + **Duplicate marking in the MCP tool**: The `update_finding` MCP tool now accepts a `duplicate_of` field so you can mark or unmark duplicates programmatically. + + **PR link in the finding detail view**: The finding slideover now shows a direct link to the pull or merge request the finding came from. + + **Taint trace expands cleanly at end of file**: Clicking "Expand below" at the last line of a file no longer shows a "Couldn't load more lines" error. The button disappears instead. **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** · **[Start a Whitebox scan →](/white-box-pentest/quickstart)** · **[Read the API reference →](/api-reference/findings/update-finding)** From 0ee4ca9c659fc066d24c645a4d1fde9b31ca4850 Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 14:08:06 +0800 Subject: [PATCH 4/7] docs: consolidate threat-model items into one changelog entry Merge the five threat-model bullets (reading view, editable, sync status, generate/sync label, PR update note) into a single "Threat models" entry covering the main changes. Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index 2c7e701..655a48e 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -13,15 +13,7 @@ rss: true **Applications**: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it. - **Threat models as a reading view**: Repository and application threat models now render inline in a reading layout: a left file tree for the model and its source documents, the model itself in a center reading column with Document and History tabs, and an "On this page" outline on the right. No more opening a separate panel to read the model. - - **Editable threat models**: Per-repo and application threat models are now editable inline. Your changes are wrapped in markers on save and preserved across regenerations, so the next synthesis pass keeps what you wrote. - - **Threat model sync status**: Repositories now show a "Pending" badge while a threat-model sync is running, so you can tell the difference between "not synced" and "sync in progress." - - **Generate vs. Sync label on threat model button**: The threat-model button now reads "Generate" when no model exists yet and "Sync" once one does, matching what the action actually does. - - **Threat model updates noted on your PRs**: When a refreshed threat model grounds a scan, the findings review comment now opens with a short note explaining why the model changed (its initial build, a manual resync, triage feedback, or an application rebuild), folded into the review instead of posting a separate comment. + **Threat models**: Repository and application threat models now render inline in a reading layout with a source-document file tree and an "On this page" outline, and you can edit them directly with your changes preserved across regenerations. Repositories show a "Pending" badge while a sync runs, the action button reads "Generate" or "Sync" to match the model's state, and when a refreshed model grounds a scan the findings review opens with a short note on why the model changed. **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. From 290fb543e9485b876a789a8d9487ebf7da1e0f16 Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 14:11:20 +0800 Subject: [PATCH 5/7] docs: trim Context page label and shorten threat-model entry Drop "A new" from the Context page item label and tighten the consolidated threat-models description. Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index 655a48e..0166faa 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -9,11 +9,11 @@ rss: true ## A new Context page for your repositories, applications, and threat models - **A new Context page**: A dedicated Context page now gathers what Hacktron knows about your code, split across Repositories and Applications tabs. Cards are sorted by most recent threat-model update and show a badge for each model's status; clicking one opens its threat model. + **Context page**: A dedicated Context page now gathers what Hacktron knows about your code, split across Repositories and Applications tabs. Cards are sorted by most recent threat-model update and show a badge for each model's status; clicking one opens its threat model. **Applications**: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it. - **Threat models**: Repository and application threat models now render inline in a reading layout with a source-document file tree and an "On this page" outline, and you can edit them directly with your changes preserved across regenerations. Repositories show a "Pending" badge while a sync runs, the action button reads "Generate" or "Sync" to match the model's state, and when a refreshed model grounds a scan the findings review opens with a short note on why the model changed. + **Threat models**: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations. A "Pending" badge shows while a sync runs, the button reads "Generate" or "Sync" to match the model's state, and PR reviews note when a refreshed model grounded the scan. **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. From 23e1efa38189b4728a0afcbbaaacf8e068391ec2 Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 14:18:02 +0800 Subject: [PATCH 6/7] docs: drop sync/badge/PR sentence from threat-models entry Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog.mdx b/changelog.mdx index 0166faa..07dc13f 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -13,7 +13,7 @@ rss: true **Applications**: Group related repositories into an application, and Hacktron synthesizes an application-level threat model by merging the threat models of its member repos. You can scan an application as a single target so findings are grounded in the combined model, and any context documents you upload to the application are folded into it. - **Threat models**: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations. A "Pending" badge shows while a sync runs, the button reads "Generate" or "Sync" to match the model's state, and PR reviews note when a refreshed model grounded the scan. + **Threat models**: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations. **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. From fbeafcc7aa1ae552bdb50b0a1a1ebedd4deaafdb Mon Sep 17 00:00:00 2001 From: maekuss Date: Tue, 23 Jun 2026 14:22:10 +0800 Subject: [PATCH 7/7] docs: remove PDF limit, add-document modal, PR link, and taint-trace entries Co-Authored-By: Claude Opus 4.8 (1M context) --- changelog.mdx | 8 -------- 1 file changed, 8 deletions(-) diff --git a/changelog.mdx b/changelog.mdx index 07dc13f..9b1151f 100644 --- a/changelog.mdx +++ b/changelog.mdx @@ -15,10 +15,6 @@ rss: true **Threat models**: Repository and application threat models now open in an inline reading view with a file tree and outline, and you can edit them with your changes preserved across regenerations. - **PDF upload limit**: Context document PDFs over 50 pages are rejected at upload with a clear message, instead of being accepted and silently degrading scan context. - - **Add-document modal in the scan wizard**: The "Add document" button in the scan wizard's context documents step now opens a modal with drag-and-drop upload and inline document creation, instead of jumping straight to a file picker. - **Redacted findings on public PRs**: For public repositories, the PR review comment no longer includes full titles, descriptions, proof-of-concept code, or file locations for findings outside the changed lines. You see a count and a link back to Hacktron, so sensitive details stay out of the public thread. Private and internal repos are unchanged, and inline comments on the diff itself are unaffected. **Org-level fail-on severity default**: Organization admins can now set a default severity threshold for PR/MR checks in settings. Individual repo configs still take precedence when set. @@ -27,10 +23,6 @@ rss: true **Duplicate marking in the MCP tool**: The `update_finding` MCP tool now accepts a `duplicate_of` field so you can mark or unmark duplicates programmatically. - **PR link in the finding detail view**: The finding slideover now shows a direct link to the pull or merge request the finding came from. - - **Taint trace expands cleanly at end of file**: Clicking "Expand below" at the last line of a file no longer shows a "Couldn't load more lines" error. The button disappears instead. - **[Set up GitHub or GitLab →](/code-review/integrations/github-gitlab)** · **[Start a Whitebox scan →](/white-box-pentest/quickstart)** · **[Read the API reference →](/api-reference/findings/update-finding)**